The General Services Administration announced FedRAMP 20x on March 24, 2025, replacing the slow, document-heavy Joint Authorization Board (JAB) and Agency authorization tracks with an automation-first program targeting a 20x reduction in authorization time. Phase One ran from April through September 2025 and existed primarily to prove that machine-readable, continuously validated security packages were possible at all. The pilot received 26 complete submissions between May 30 and August 18, 2025, granted the first authorizations in late July, and completed 13 full reviews by the end of September. A 41-day federal shutdown from October 1 to November 13, 2025, then stalled the remaining 13 reviews. The pilot was not the demonstration anyone had hoped for, but the data points are useful.
What problem is FedRAMP 20x trying to solve?
The legacy FedRAMP authorization process took, on average, 22 months from kickoff to Authority to Operate (ATO). The cost per authorization, including 3PAO assessment fees, agency sponsorship coordination, and remediation cycles, averaged $2.25 million for Moderate-impact packages. The slowness was structural. Security packages were PDFs, often hundreds of pages each. Continuous monitoring deliverables were monthly spreadsheets. Each agency-specific ATO required bespoke re-negotiation of inherited controls. The FedRAMP Program Management Office (PMO) processed everything by manual review. For commercial SaaS vendors, the result was that products mature enough to serve regulated industries could not reach the federal market until the security investment had aged a year and a half.
What changed in the Phase One pilot?
Three things. First, security packages submitted in Open Security Controls Assessment Language (OSCAL), a NIST-developed JSON/XML/YAML schema (NIST IR 8407). OSCAL is machine-readable, so PMO reviewers process the package via tooling rather than line-by-line PDF reading. Second, the introduction of Key Security Indicators (KSIs) — a subset of high-signal controls (such as encryption in transit, FIPS-validated cryptographic modules, MFA on privileged accounts, and patched CVE inventories) that the system continuously emits as evidence rather than re-asserting annually. Third, a 3PAO assessment scope limited to validating the KSI emission mechanism rather than re-testing every NIST SP 800-53 control. The proof points are visible in the published Phase One materials at fedramp.gov/20x/phase-one.
{
"key_security_indicator": "KSI-CR-01",
"control_id": "SC-13",
"description": "FIPS 140-3 validated cryptographic modules",
"evidence_method": "automated",
"emission_frequency": "continuous",
"validation_endpoint": "https://example.example.com/.well-known/ksi/sc-13",
"last_attestation": "2025-09-15T14:22:31Z",
"3pao_validator": "Example3PAOName",
"validation_result": "pass"
}
Who got authorized in Phase One?
FedRAMP has not yet published the full list of authorized Phase One participants. The first cohort of authorizations was announced in late July 2025; subsequent authorizations followed through August and September. Participants self-selected against the Phase One scope, which required existing Moderate-impact baselines and the ability to emit KSI evidence via API. The 13 completed reviews represent a mix of cloud-native SaaS providers and infrastructure-layer services. The unprocessed 13 submissions were caught in the October-November shutdown queue and were among the first packages reviewed when the PMO resumed operations on November 17, 2025.
What did Phase One get wrong?
Two things. The KSI specification was iterative. Initial versions did not define the JSON Schema for evidence emission tightly enough, and PMO reviewers received KSI payloads in inconsistent formats from different vendors. By August, FedRAMP had published Schema v1.0 at fedramp.gov/20x/ksi and required submissions to validate against it. The second was sponsor-agency coordination. Phase One was designed to issue Provisional Authorizations from the PMO directly, but several participants still required an agency sponsor to issue an ATO covering their actual production use. The Phase Two specification (published September 30, 2025 in the "Built a Modern Foundation in FY25" blog post) preserves the agency role but reduces re-validation to KSI delta review rather than full package re-review.
What does Phase Two require?
Phase Two, opening for submissions in early 2026, extends the KSI catalog from 28 indicators in Phase One to approximately 60 indicators covering all major NIST SP 800-53 Rev. 5 control families. Continuous monitoring shifts from monthly POA&M reports to streaming KSI emission, with the PMO subscribing to vendor-published validation endpoints rather than ingesting periodic spreadsheets. The 3PAO model is replaced by Continuous Security Monitoring Service Providers (CSMSPs) who attest to KSI emission veracity on an ongoing basis rather than once per year. The September 30, 2025 announcement set a target of granting authorizations in 90 days or less for compliant Phase Two submissions, the original 20x promise.
What does this mean for SaaS vendors?
Three implications. First, FedRAMP becomes accessible to smaller vendors whose budgets could not absorb a 22-month, $2.25 million traditional path. The Phase Two specification estimates a target cost-per-authorization of $200,000-400,000, an 80-90 percent reduction. Second, OSCAL competence becomes table stakes. Vendors lacking automation to emit security state as machine-readable artifacts will have nothing to submit. Third, vendors should not assume their existing FedRAMP Moderate ATO survives unchanged. The KSI delta-review model applies to renewal too, and vendors who pass Phase Two assessment will move onto continuous monitoring while legacy ATO holders remain on annual assessments until they transition. FedRAMP has stated that the legacy program continues in parallel through at least 2027.
How Safeguard Helps
Safeguard emits the KSI evidence FedRAMP 20x requires directly from running infrastructure rather than from generated reports: continuous SBOM inventory, real-time CVE state from the package graph, FIPS module validation status, MFA enforcement telemetry, and encryption-in-transit attestations. The platform produces OSCAL-formatted submission packages and exposes KSI-compliant validation endpoints that the PMO and agency sponsors can subscribe to. Griffin AI cross-references KSI emissions against the FedRAMP Schema v1.0 and the underlying NIST SP 800-53 Rev. 5 controls, surfacing gaps before a 3PAO discovers them. For vendors currently mid-stream on a legacy authorization, Safeguard generates the delta map from the existing ATO baseline to the Phase Two KSI catalog so the transition is bounded work rather than a full re-authorization.